Tuta

2 months ago

Tuta
2 months ago

🚨 Privacy Win 🚨

The USA's loudest endorsement ever: CISA urges everyone to use encryption!

Use services like #Signal and #Tuta to secure your online communication.

Here's the news: tuta.com/blog/us-cisa-endorses…

PRIVACY WIN: US agency CISA asks you to use E2E-ENCRYPTION

The USA's loudest endorsement ever: CISA urges everyone to use encryption! | Tuta

Following the Salt Typhoon hack, CISA recommends to secure online communication with strong end-to-end encryption and to use apps with zero metadata.

^Tuta

in reply to Tuta

Karl Emil Nikka

in reply to Tuta 2 months ago

It would be great if Tuta had support for end-to-end encrypted emails as well, not just end-to-end encrypted messages between Tuta users.

in reply to Karl Emil Nikka

Tuta

in reply to Karl Emil Nikka 2 months ago

@karlemilnikka You can send to anyone encrypted by sharing a password: tuta.com/blog/how-to-password-…

The easiest way to send password-protected emails | Tuta

Unsure of how to send a password-protected email? Find out how easy it is in this quick guide.

^Tuta

@Karl Emil Nikka

in reply to Tuta

Yes, but that isn’t practical outside edge cases. Please consider adding support for PGP with WKD (in addition to your custom solution for intra-Tuta messages) so we can start emailing end-to-end encrypted by default and without having to share passwords.

in reply to Karl Emil Nikka

Tuta

in reply to Karl Emil Nikka 2 months ago

@karlemilnikka We'll discuss this, thanks!

@Karl Emil Nikka

in reply to Tuta

AzureCerulean

in reply to Tuta 2 months ago

It's only secure if YOU generate and hold the keys, not a man in the middle.

in reply to AzureCerulean

Tuta

in reply to AzureCerulean 2 months ago

@AzureCerulean Yes, that's why in Tuta the keys are generated on your client, encrypted with your password,and only then sent to the server - in encrypted form. The keys never get decrypted on the server, and you can check this as the code is open source. Here are more details: tuta.com/de/blog/private-key

Thoughts on 'Why a Private Key Should Not Be Stored on a Central Server'. | Tuta

Making email encryption easy is hard: While you must automatically exchange keys for the encryption to work, you must also make sure that the private key can only be accessed by the user. This is a fundamental requirement to prevent any backdoor.

^Tuta

@AzureCerulean

in reply to Tuta

AzureCerulean

in reply to Tuta 2 months ago

But who controls the data on the server? Is it self-hostable, It' might be end-to-end encrypted from the user to the server and back, but that's where it ends.

You might as well use apple and iMessage/iMail/iCal otherwise it's just as secure, and if/when a government comes in and says turn over your user data or intercept the messages they have too.

The Client maybe GPL3 But until the server is available and released under the same license there is no reason to change.

in reply to AzureCerulean

Tuta

in reply to AzureCerulean 2 months ago

@AzureCerulean The entire encryption takes place on the client so the server only see encrypted data.

We plan to publish a small, open source server for self-hosting in the future. The current server structure is much too complex for that so we did not see the point in publishing the code.

@AzureCerulean

⇧

Tuta

Tuta 2 months ago • •

Tuta
2 months ago